• Aijan@programming.devOP
    link
    fedilink
    arrow-up
    1
    arrow-down
    2
    ·
    14 days ago

    Perhaps I was unclear. What I meant to say is that, whenever possible, we shouldn’t have multiple versions of a field, especially when there is no corresponding plaintext password field in the database, as is the case here.

    • nous@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      14 days ago

      And they were arguing the same - just renaming the property rather than reusing it. You should only have one not both but naming them differently can make it clear which one you have.

      But here I am arguing to not have either on the user object at all. They are only needed at the start of a request and should never be needed after that point. So no point in attaching them to a user object - just verify the username and password and pass around user object after that without either the password or hash. Not everything needs to be added to a object.